Skip to content
English
More support Sign in
  • There are no suggestions because the search field is empty.

HealthSafe ISMS - Context of the Organisation and Interested Parties - (PENDING APPROVAL)

(ISO/IEC 27001:2022 – Clauses 4.1 & 4.2)

 

1. Purpose

The purpose of this document is to define and document the internal and external issues relevant to HealthSafe’s Information Security Management System (ISMS), as well as the interested parties and their requirements. This ensures that the ISMS is aligned with the organisation’s strategic direction and is capable of achieving its intended outcomes.

2. Internal Context of the Organisation (Clause 4.1)

HealthSafe has identified the following internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the ISMS:

2.1 Organisational Structure and Governance

HealthSafe operates with a defined organisational structure consisting of leadership, operational, and support functions. Key roles include the Chief Executive Officer (CEO), Information Security leadership (CISO), Customer Success, Sales, and Product/Engineering functions. Certain technical and operational functions, including software development and marketing, are supported through outsourced partners. Governance is maintained through defined reporting lines, management oversight, and documented policies.

2.2 Roles and Responsibilities

Roles and responsibilities for information security are defined and assigned across the organisation. Accountability for information security is established at leadership level, with operational responsibilities distributed across relevant functions. Third-party providers are also assigned responsibilities through contractual agreements and supplier management processes.

2.3 Business Processes

HealthSafe delivers services that involve the processing, storage, and transmission of customer data. Core business processes include customer onboarding, service delivery, platform operation, and customer support. These processes require the protection of confidentiality, integrity, and availability of information assets.

2.4 Technological Environment

HealthSafe operates a cloud-based infrastructure primarily hosted on Amazon Web Services (AWS). The environment includes web applications, databases, APIs, and supporting infrastructure components. Security controls implemented within this environment include firewalls, intrusion detection mechanisms, encryption, monitoring, and access control systems.

2.5 Information Security Policies and Procedures

HealthSafe maintains a comprehensive suite of ISMS policies and procedures that define the organisation’s approach to managing information security. These include, but are not limited to, access control, network security, incident management, risk management, supplier management, and business continuity. These documents provide the framework for implementing and maintaining effective security controls.

2.6 Use of Third Parties and Outsourcing

HealthSafe engages third-party providers to support specific business and technical functions, including software development and marketing services. These relationships are governed through contractual agreements, including security requirements, and are subject to supplier risk management and oversight processes.

2.7 Resources and Competence

HealthSafe relies on a combination of internal personnel and external partners to deliver its services. Competence requirements are defined through role responsibilities, and personnel are supported through induction and training processes. Resource availability and capability are considered in the implementation and operation of the ISMS.

3. External Context of the Organisation (Clause 4.1)

HealthSafe has identified the following external issues relevant to the ISMS:

  • Applicable legal, regulatory, and contractual requirements relating to data protection and information security

  • Industry standards and best practices, including ISO/IEC 27001:2022

  • Threat landscape, including cybersecurity risks such as malware, intrusion attempts, and denial-of-service attacks

  • Dependence on third-party service providers, including cloud service providers (e.g., AWS)

  • Expectations of clients and stakeholders regarding the protection of sensitive information

These external factors are monitored and reviewed as part of the ISMS and risk management processes.

4. Interested Parties and Their Requirements (Clause 4.2)

HealthSafe has identified the following interested parties relevant to the ISMS, along with their requirements:

Interested Party Relevant Requirements Addressed within ISMS
Clients Protection of sensitive and personal data, service availability, confidentiality Yes
Employees Secure systems, clear policies, and access to information required for their roles Yes
Regulatory Authorities Compliance with applicable laws and regulations (e.g., data protection) Yes
Suppliers and Partners Secure data exchange, defined responsibilities, and contractual obligations Yes
Certification Body Compliance with ISO/IEC 27001:2022 requirements Yes

HealthSafe determines which of these requirements are addressed through the ISMS and ensures appropriate controls are implemented.

5. Review and Maintenance

This document is reviewed periodically as part of the ISMS management review process or when significant changes occur to the organisation, its context, or its stakeholders.

Document Owner: Eparama Tuibenau - Head of Customer Success
Approved By: Gideon Burke - CEO (PENDING APPROVAL)
Version: 1.0
Date: 19 March 2026